tag 883314 pending thanks Hello,
Bug #883314 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=5d5ab9f --- commit 5d5ab9f7749187a352c3db3bc765972c5cbf176e Author: Craig Small <csm...@debian.org> Date: Sat Dec 9 18:30:08 2017 +1100 Security backport from 4.9.1 Backport of 4 patches from 4.9.1 to address security issues. Addresses CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 and CVE-2017-17094 diff --git a/debian/changelog b/debian/changelog index 5610d83..b18edcf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,24 @@ +wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high + + * Backport security patches from 4.9.1 Closes: #883314 + - CVE-2017-17091 + Use a properly generated hash for the newbloguser key instead + of a determinate substring. + Changeset 42272 + - CVE-2017-17092 + Remove the ability to upload JavaScript files for users who + do not have the unfiltered_html capability + Changeset 42275 + - CVE-2017-17093 + Add escaping to the language attributes used on html elements + Changeset 42273 + - CVE-2017-17094 + Ensure the attributes of enclosures are correctly escaped in + RSS and Atom feeds + Changeset 42274 + + -- Craig Small <csm...@debian.org> Sat, 09 Dec 2017 18:13:16 +1100 + wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium * Backport patches from 4.8.2 Closes: #876274